IE 7 exposed to phishing attacksAttackers could exploit a new flaw in Internet Explorer 7 (IE 7) to launch phishing expeditions, Israeli vulnerability researcher Aviv Raff warned in a posting on his blog Wednesday. Microsoft said it is investigating his findings.

Raff said IE 7 running on Windows XP and Vista is susceptible to cross-site scripting attacks. That combined with a design flaw in the browser could allow digital miscreants to launch phishing schemes against users, he added.

"I think it is a serious vulnerability, because it allows a phisher to take advantage of the user without the need to create a look alike URL," Raff said in an instant message exchange. "The user will see the trusted URL in the address bar and the fake content provided by the phisher."

Raff said he is unaware of any exploits in the wild. Microsoft issued a statement saying that it's investigating the flaw but has seen no evidence of active exploits to date.

BlackBerry flaw repairedIT administrators are being advised to upgrade to BlackBerry Device Software 4.2 Service Pack 1 to fix a flaw in earlier versions attackers could exploit to cause a denial of service. According to the French Security Incident Response Team (FrSIRT), the problem is an error in the BlackBerry browser that fails to properly handle overly long URLs.

Attackers could exploit this to cause a vulnerable device to become slow or to stop responding by tricking a user into following a specially crafted link. The problem affects BlackBerry Device Software version 4.2 and prior. The solution is to upgrade to BlackBerry Device Software 4.2 Service Pack 1.

The flaw was found in OpenBSD's kernel and involves the way the OS handles certain kinds of IPv6 packets, according to the researchers at Core Security Technologies Inc. who discovered the problem. The vulnerability affects versions 3.1, 3.6, 3.8, 3.9, 4.0 and 4.1 of OpenBSD. Also, all other versions that support the IPv6 stack are thought to be vulnerable.

The OpenBSD team has released a patch and a workaround for the flaw . Because this is a kernel-level vulnerability, administrators will need to rebuild their kernels after installing the patch.

In order to exploit the flaw, an attacker need only be able to send fragmented IPv6 packets to a target system. This requires direct access to the target network, however the attacker's machine does not need to have its own IPv6 stack in order to make the exploit work, Core said. Users who don't need to route IPv6 traffic can block those packets using OpenBSD's native firewall.

The Cupertino, Calif.-based company addressed some critical issues with the software maker's software, which were discovered as part of the Month of Apple Bugs and the Month of Kernel Bugs. It also fixes some third-party applications, such as Adobe Systems Flash Player and the MySQL database.

Several flaws could be exploited by an attacker to conduct a denial-of-service DDoS attack or elevate privileges to access data, according to a security alert issued Tuesday by Apple. Other flaws could allow an attacker to gain full control over a victim's computer.

Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier are affected. The software vendor said its automatic update would fix the issues.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.